Remove jose from cli-kit (inline guarded JWT decode)

[amcaplan]

Remove jose from @shopify/cli-kit

Why: Part of an initiative to cut low-value dependency churn (13 Dependabot bumps / 24 months). Notably, this code path only ever decoded an id_token payload — it never verified signatures, so the full jose library was overkill.

Replacement: A guarded inline base64url JWT-payload decoder.

• Sole site: packages/cli-kit/src/private/node/session/exchange.ts — jose.decodeJwt(result.id_token).sub → getJwtSubject(idToken).
• Guards (security-relevant): requires exactly 3 JWT segments; decodes the payload with Buffer.from(payload, 'base64url') (engines.node ≥ 22.12); JSON.parse wrapped in try/catch; rejects non-object / array / empty-object payloads before reading .sub (avoids the String.prototype.sub hazard a string payload would trigger).
• Returns string | undefined; the existing caller's if (!userId) throw new BugError(...) already handles a missing subject — safer than the prior .sub! non-null assertion.

Tests: The decode path was previously untested. Added coverage in exchange.test.ts for exchangeDeviceCodeForAccessToken without an existingUserId (the path that triggers the decode) plus malformed-token guard cases.

Validation: type-check ✅, lint ✅, vitest ✅ (1 file, 19 tests, 0 failed).

🤖 AI-generated draft — needs human review before merge.